Restricting Access by URL

The tokens generated from most parameters are not specific to a particular folder or asset. Therefore, those tokens may potentially be reused to authenticate content stored in various folders. The Allow URL parameter (i.e., ec_url_allow), on the other hand, tailors tokens to a particular asset or path. This parameter restricts access to requests whose URLs start with a specific relative path.

Query strings are ignored by this parameter.

The comparison between a request and this parameter's value starts immediately after the request's hostname.

Key information:

Basic Example (Edge CNAME URL)

All of the following requests satisfy this requirement when ec_url_allow is set to "/marketing:"

Alternatively, only the first request will satisfy this security requirement when ec_url_allow is set to "/marketing.htm."

Sample URLs

Sample URLs are provided below. Bold, blue font indicates the portion of the URL that will be compared against the relative path defined for this parameter.

Type Sample URL

CDN URL

http://can.0001.transactcdn.com/800001/MyServer/marketing.htm

Edge CNAME URL

http://cdn.mydomain.com/marketing.htm

Sample Scenarios

The following sample scenarios demonstrate how different ec_url_allow values are handled.

Scenario #1

This scenario is based on the following request:

Request Description

URL Type

CDN URL

Origin Type

CDN Storage

URL

http://can.0001.transactcdn.com/000001/Secure/index.html

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value Additional Information

/000001

Authorizes all CDN URL requests to CDN storage.

/000001/Secure/

Authorizes CDN URL requests to the Secure folder on CDN storage.

/000001/Secure/index.html

Only authorizes this specific CDN URL request.

Scenario #2

This scenario is based on the following request:

Request Description

URL Type

CDN URL

Origin Type

Customer Origin

URL

http://can.0001.transactcdn.com/800001/MyServer/Secure/index.html

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value Additional Information

/800001

Authorizes CDN URL requests to any customer origin server.

/800001/MyServer/

Authorizes all CDN URL requests to a customer origin server called "MyServer."

/800001/MyServer/Secure/index.html

Only authorizes this specific CDN URL request.

Scenario #3

This scenario is based on the following request:

Request Description

URL Type

Edge CNAME URL

Origin Type

Customer Origin

URL

http://secure.server.com/marketing/index.html

The hostname "secure.server.com" leverages an edge CNAME configuration that points to:

can.0001.transactcdn.com/800001/MyServer/Secure

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value Additional Information

/

Authorizes all requests regardless of URL or origin type. The relative path for all requests start with a "/."

/marketing

Authorizes all edge CNAME URL requests to a folder called "marketing."

/marketing/index.html

Authorizes requests that meet the following criteria:

  • URL Type: Edge CNAME URL
  • Relative Path: /marketing
  • File Name: index.html

Additional Sample Scenarios

The sample requests listed in this section leverage a token that contains the following requirement:

ec_url_allow=/Folder1/movie1,/Folder2

The following table describes how sample requests will be handled for this scenario.

Sample Request Authorized?

http://secure.server.com/Folder1/movie1.flv

Allowed

http://secure.server.com/Folder1/movie1.mpg

Allowed

http://secure.server.com/Folder1/movie1/index.htm

Allowed

http://secure.server.com/Folder2/film.mpg

Allowed

http://secure.server.com/Folder1/movie2.flv

Denied

http://secure.server.com/Folder3

Denied

The "secure.server.com" hostname points to can.0001.transactcdn.com/800001/MyServer/Secure.